This book offers a new account on the legal conflict between privacy and trade in the digital sphere. It develops a fundamental rights theory with a new right to continuous protection of personal data and explores the room for the application of this new right in trade law. Replicable legal analysis and practical solutions show the way to deal with cross-border data flows without violating fundamental rights and trade law principles. The interplay of privacy and trade became a topic of worldwide attention in the wake of Edward Snowden’s revelations concerning US mass surveillance. Based on claims brought forward by the activist Maximilian Schrems, the ECJ passed down two high-profile rulings restricting EU-US data flows. Personal data is relevant for a wide range of services that are supplied across borders and restrictions on data flows therefore have an impact on the trade with such services. After the two rulings by the ECJ, it is less clear then ever how privacy protection and trade can be brought together on an international scale. Although it was widely understood that the legal dispute over EU-US data flows concerns the broad application of EU data protection law, it has never been fully explored just how far the EU’s requirements for the protection of digital rights go and what this means beyond EU-US data flows. This book shows how the international effects of EU data protection law are rooted in the EU Charter of Fundamental Rights and that the architecture of EU law demands that the Charter as primary EU law takes precedence over international law. The book sets out to solve the problem of how the EU legal data transfer regime must be designed to implement the EU’s extraterritorial fundamental rights requirements without violating the principles of the WTO’s law on services. It also addresses current developments in international trade law – the conclusion of comprehensive trade agreements – and offers suggestion for the design of data flow clauses that accommodate privacy and trade.
Author(s): Tobias Naef
Series: Studies In European And International Economic Law | 28
Edition: 1
Publisher: Springer
Year: 2023
Language: English
Commentary: TruePDF
Pages: 442
Tags: European Economic Law; International Economic Law; Trade Law; IT Law; Media Law; Intellectual Property; European Fundamental Rights And Freedoms
Acknowledgments
Contents
List of Abbreviations
Chapter 1: Introduction
1.1 Framing
1.2 Questions
1.3 Structure
1.4 Method
References
Bibliography
Jurisprudence
Documents
Part I: European Union Data Protection Law
Chapter 2: The Global Reach of the Right to Data Protection
2.1 Development of the Right to Data Protection
2.1.1 Early Data Protection Laws
2.1.2 Materialization in International Instruments
2.1.3 Harmonization in Community Law
2.1.4 Inclusion in the Charter of Fundamental Rights
2.1.5 Summary
2.2 Substance of the Right to Data Protection
2.2.1 Foundational Values
2.2.1.1 Privacy
2.2.1.2 Informational Self-Determination
2.2.1.3 Transparency
2.2.1.4 Democracy
2.2.2 Written Constituents of the Right to Data Protection
2.2.2.1 General Principle
2.2.2.2 Fairness, Purpose Specification, and Basis for the Processing of Personal Data
2.2.2.3 Right of Access and Right to Rectify
2.2.2.4 Independent Supervision
2.2.3 Relationship with the Right to Private Life
2.2.3.1 The Right to Private Life
2.2.3.2 Distinct But Overlapping Rights
2.2.3.3 Combined Reading of the Two Rights
2.2.3.4 The Added Value of Having Two Fundamental Rights
2.2.4 Limitations on the Right to Data Protection
2.2.4.1 Interference with the Right to Data Protection
2.2.4.2 The Essence of the Right to Private Life
2.2.4.3 The Essence of the Right to Data Protection
2.2.4.4 Lawful Limitations
2.2.4.4.1 Legal Basis
2.2.4.4.2 Objectives of General Interest and Protection of the Rights of Others
2.2.4.4.3 Proportionality
2.2.5 Summary
2.3 The Extraterritorial Dimension of the Right to Data Protection
2.3.1 The Right to Continuous Protection of Personal Data
2.3.1.1 Continuous Protection of Personal Data in Schrems
2.3.1.2 Continuous Protection of Personal Data in Opinion 1/15
2.3.1.3 Continuous Protection of Personal Data in the AG Opinion on Schrems 2
2.3.1.4 Continuous Protection of Personal Data in Schrems 2
2.3.2 Theory of Territorial Extension of Union Law
2.3.3 Justification
2.3.3.1 Legal Basis in the Treaties
2.3.3.1.1 Field of Application of the Charter
2.3.3.1.2 The Right to Data Protection in the EU Treaties
2.3.3.1.3 External Relations of the European Union
2.3.3.2 Effective Protection of Fundamental Rights
2.3.3.3 Foundational Values of the Right to Data Protection
2.3.3.4 No Analogy with Soering v. United Kingdom
2.3.4 Essential Equivalence
2.3.4.1 Comparison
2.3.4.2 Meaning
2.3.4.3 Level of Protection
2.3.4.4 Limitations
2.3.5 Summary
2.4 The Extraterritorial Dimension of the Right to Data Protection and Foreign Surveillance
2.4.1 Foreign Internet Surveillance
2.4.1.1 Access to Personal Data Held by Private Companies
2.4.1.1.1 Surveillance Practice
2.4.1.1.2 Standards for Comparison of Essential Equivalence
2.4.1.2 Interception of Data Flows from the Internet
2.4.1.2.1 Surveillance Practice
2.4.1.2.2 Standards for Comparison of Essential Equivalence
2.4.2 Requirements for Essential Equivalence of Protection from Internet Surveillance
2.4.2.1 Clear, Precise and Accessible Rules
2.4.2.2 Necessity and Proportionality
2.4.2.3 Independent Oversight Mechanism
2.4.2.4 Effective Remedies
2.4.3 No Double Standards for Foreign Internet Surveillance
2.4.4 International Human Rights Law and Internet Surveillance
2.4.4.1 Data Protection in the ICCPR
2.4.4.2 Application of the ICCPR
2.4.4.2.1 Nationality
2.4.4.2.2 Territory
2.4.4.3 Standards of the Right to Privacy
2.4.4.4 Violation of the ICCPR
2.4.5 Summary
2.5 Conclusion
References
Bibliography
Jurisprudence
Documents
Chapter 3: The Restrictive Effect of the Legal Mechanisms for Data Transfers in the European Union
3.1 The System of Data Transfers
3.1.1 Development of the Rules on Data Transfers
3.1.1.1 Early Data Protection Laws in Europe
3.1.1.1.1 Sweden
3.1.1.1.2 Germany
3.1.1.1.3 France
3.1.1.2 Materialization in International Instruments
3.1.1.2.1 OECD Privacy Guidelines
3.1.1.2.2 Council of Europe Convention 108
3.1.1.2.3 Council of Europe Model Contract
3.1.1.3 Harmonization in Union Law
3.1.1.3.1 First Draft of Directive 95/46/EC
3.1.1.3.2 Amended Draft of Directive 95/46/EC
3.1.1.3.3 Final Draft and Directive 95/46/EC
3.1.1.4 Consolidation in Union Law
3.1.2 Policy Objectives of the Rules on Data Transfers
3.1.2.1 Anticircumvention
3.1.2.2 Enhancing Trust in the Information Society
3.1.2.3 Security
3.1.2.4 Economic Protectionism
3.1.3 The Concept of Data Transfers
3.1.3.1 Terminology
3.1.3.1.1 Free Movement of Data
3.1.3.1.2 Data Flows
3.1.3.1.3 Data Transfers
3.1.3.2 The Data Processing Operation of Data Transfers
3.1.3.2.1 Transmission of Personal Data
3.1.3.2.2 Disclosure of Personal Data
3.1.3.2.3 Reasonableness Test
3.1.3.2.4 Third Countries
3.1.3.3 Data Transits
3.1.3.4 Special Territories of the EU
3.1.4 Legal Mechanisms for Data Transfers
3.1.4.1 Default Position
3.1.4.2 Adequacy Decisions
3.1.4.3 Instruments Providing Appropriate Safeguards
3.1.4.3.1 Standard Data Protection Clauses
3.1.4.3.2 BCRs
3.1.4.4 Derogations for Specific Situations
3.1.4.4.1 Contract-based Derogation
3.1.4.4.2 Consent-based Derogation
3.1.5 Summary
3.2 Continuous Protection of Personal Data and Adequacy Decisions
3.2.1 The Politics of Adequacy Decisions
3.2.1.1 No Right to an Adequacy Finding
3.2.1.2 Arbitrary Procedures
3.2.1.3 Content-related Inconsistencies
3.2.1.4 Indications of Preferential Treatment
3.2.2 Limitations on Continuous Protection of Personal Data Using Adequacy Decisions
3.2.2.1 Interference
3.2.2.2 Legal Basis
3.2.2.3 Objectives of General Interest and Protection of the Freedoms of Others
3.2.2.3.1 Public Security in a Third Country
3.2.2.3.2 Freedom of Expression and Information
3.2.2.3.3 Freedom to Conduct a Business
3.2.2.4 Proportionality
3.2.2.4.1 Public Security in a Third Country
3.2.2.4.2 Freedom of Expression and Information
3.2.2.4.3 Freedom to Conduct a Business
3.2.3 The Validity of Adequacy Decisions as a Legal Mechanism
3.2.4 The European Commission as Guardian of Fundamental Rights
3.2.5 Summary
3.3 Continuous Protection of Personal Data and Appropriate Safeguards
3.3.1 The Politics of Appropriate Safeguards
3.3.1.1 Laissez-Faire Politics
3.3.1.2 The Effect of Repealed or Invalidated Adequacy Decisions
3.3.1.3 Layered Levels of Protection Versus Same Levels of Protection
3.3.1.4 Responsibility for the Data Exporter
3.3.2 Limitations on Continuous Protection of Personal Data Using Appropriate Safeguards
3.3.2.1 Interference
3.3.2.2 Legal Basis
3.3.2.2.1 Standard Data Protection Clauses Based on Article 46(2)(c) GDPR
3.3.2.2.2 BCRs Based on Article 46(2)(b) GDPR
3.3.2.3 Objectives of General Interest and Protection of Freedoms of Others
3.3.2.3.1 Public Security in a Third Country
3.3.2.3.2 Freedom of Expression and Information
3.3.2.3.3 Freedom to Conduct a Business
3.3.2.4 Proportionality
3.3.2.4.1 Freedom of Expression and Information
3.3.2.4.2 Freedom to Conduct a Business
3.3.3 The Validity of Appropriate Safeguards as a Legal Mechanism
3.3.3.1 Standard Data Protection Clauses Based on Article 46(2)(c) GDPR
3.3.3.1.1 Additional Safeguards
3.3.3.1.2 Compliance Mechanisms
3.3.3.1.3 Powers of Supervisory Authorities
3.3.3.1.4 Rights of Individuals
3.3.3.1.5 Consistent Enforcement Among Member States
3.3.3.2 BCRs Based on Article 46(2)(b) GDPR
3.3.4 Supervisory Authorities as Guardians of Fundamental Rights
3.3.5 Summary
3.4 Continuous Protection of Personal Data and Derogations
3.4.1 The Politics of Derogations
3.4.1.1 Contradiction
3.4.1.2 Resolution
3.4.2 Limitations on Continuous Protection of Personal Data with the Derogations
3.4.2.1 Interference
3.4.2.2 Legal Basis
3.4.2.3 Objectives of General Interest and Protection of the Freedoms of Others
3.4.2.3.1 Public Security in a Third Country
3.4.2.3.2 Freedom of Expression and Information
3.4.2.3.3 Freedom to Conduct a Business
3.4.2.4 Proportionality
3.4.2.4.1 Freedom of Expression and Information
3.4.2.4.2 Freedom to Conduct a Business
3.4.3 Waiver on Continuous Protection for Personal Data
3.4.3.1 Availability of the Waiver
3.4.3.2 Test for the Waiver
3.4.3.3 Conditions of the Waiver
3.4.3.3.1 Unforcedness
3.4.3.3.2 Full Knowledge of the Surrounding Circumstances
3.4.3.3.3 Unequivocalness
3.4.3.3.4 Minimum Safeguards
3.4.3.3.5 Respect for Important Public Interests
3.4.3.3.6 Maintaining the Right
3.4.3.4 Lawfulness of the Waiver
3.4.4 The Data Subjects as Guardians of Fundamental Rights
3.4.5 Summary
3.5 Conclusion
References
Bibliography
Jurisprudence
Documents
Part II: International Trade Law
Chapter 4: Restrictions on Data Transfers and the WTO
4.1 Data Flows and Trade in Digital Services
4.1.1 Trade in Digital Services
4.1.2 Data Localization
4.1.3 Services with Systematic Flows of Personal Data
4.1.3.1 Cloud Computing Services
4.1.3.2 Search Engine Services
4.1.3.3 Social Network Services
4.1.3.4 Internet of Things Services
4.1.3.5 Sharing Economy Platform Services
4.1.4 Services with Occasional Flows of Personal Data
4.1.4.1 Travel Agency Services
4.1.4.2 Digital Medical Services
4.1.4.3 Legal Services
4.1.5 Summary
4.2 Data Flows and the Law on Trade in Services
4.2.1 General Agreement on Trade in Services
4.2.1.1 Scope
4.2.1.1.1 Services
4.2.1.1.2 Supply of Services
4.2.1.1.3 Schedules
4.2.1.1.4 Measures Affecting Trade in Services
4.2.1.2 General Obligations
4.2.1.2.1 MFN Treatment
4.2.1.2.2 Domestic Regulation
4.2.1.3 Obligations Subject to Specific Commitments
4.2.1.3.1 Market Access
4.2.1.3.2 National Treatment
4.2.1.4 Exceptions
4.2.1.4.1 Economic Integration
4.2.1.4.2 General Exceptions
4.2.1.4.2.1 Privacy Exception
4.2.1.4.2.2 Chapeau
4.2.1.4.3 Security Exceptions
4.2.2 Annex on Telecommunications
4.2.2.1 Enabling Function
4.2.2.2 Substantive Obligations
4.2.2.3 Coverage of the Internet
4.2.2.4 Confidentiality Exception
4.2.3 Treatment of Digital Services
4.2.3.1 Commitments
4.2.3.2 Mode of Supply
4.2.3.3 Classification
4.2.3.3.1 Coverage of the Service Sectoral Classification List
4.2.3.3.2 Interpretation of the Schedules
4.2.3.3.3 Evolution of Technology
4.2.3.3.4 Service Output
4.2.3.3.5 Integrated Services
4.2.3.3.6 Functional Approach
4.2.3.4 Examples
4.2.3.4.1 Cloud Computing Services
4.2.3.4.1.1 Cloud Computing Without Distinction by Type
4.2.3.4.1.2 IaaS
4.2.3.4.1.3 PaaS
4.2.3.4.1.4 SaaS
4.2.3.4.2 Search Engine Services
4.2.3.4.3 Social Network Services
4.2.3.4.4 Online Advertising Services
4.2.3.4.5 IoT Services
4.2.3.4.6 Sharing Economy Platform Services
4.2.3.4.7 Travel Agencies
4.2.3.4.8 Digital Medical Services
4.2.3.4.9 Legal Services
4.2.4 Electronic Commerce Negotiations
4.2.4.1 Preparatory Work
4.2.4.2 Emancipation from the Doha Structure
4.2.4.3 Joint Statement Initiative
4.2.4.4 Current Negotiations
4.2.5 Summary
4.3 The Regulation of Data Transfers as Trade Barrier
4.3.1 MFN Treatment
4.3.1.1 Adequacy Decisions
4.3.1.1.1 Services with Systematic Flows of Personal Data
4.3.1.1.2 Services with Occasional Flows of Personal Data
4.3.1.2 Special Framework Adequacy Decisions
4.3.1.3 Adequacy Assessment
4.3.1.3.1 Access
4.3.1.3.2 Management
4.3.1.4 Appropriate Safeguards
4.3.2 Domestic Regulation
4.3.2.1 Administration of Measures
4.3.2.1.1 Adequacy Decisions
4.3.2.1.1.1 Number of Adequacy Decisions
4.3.2.1.1.2 Selection of Countries for Adequacy Decisions
4.3.2.1.1.3 Consistency of Adequacy Assessments
4.3.2.1.1.4 Procedures of the Adequacy Assessment
4.3.2.1.2 Special Framework Adequacy Decisions
4.3.2.1.3 Standard Data Protection Clauses
4.3.2.1.4 BCRs
4.3.2.1.5 Derogations
4.3.2.1.6 Overlapping Requirements
4.3.2.2 Judicial, Arbitral or Administrative Mechanisms
4.3.2.2.1 Adequacy Decisions
4.3.2.2.2 Standard Data Protection Clauses
4.3.2.2.3 BCRs
4.3.2.3 Authorization Requirements
4.3.2.4 Qualification Procedures, Technical Standards and Licensing Requirements
4.3.3 Market Access
4.3.3.1 The Relationship Between Data Localization and Market Access
4.3.3.1.1 Cross-border Supply of Services and Data Localization
4.3.3.1.2 Quantitative and Qualitative Implications of Data Localization
4.3.3.2 Services with Systematic Flows of Personal Data
4.3.3.2.1 Cloud Computing Services
4.3.3.2.2 Search Engine Services
4.3.3.2.3 Social Network Services
4.3.3.2.4 Online Advertising Services
4.3.3.2.5 IoT Services
4.3.3.2.6 Sharing Economy Platform Services
4.3.3.3 Services with Occasional Flows of Personal Data
4.3.3.4 Preventing Interferences
4.3.3.4.1 Modification of the Schedule
4.3.3.4.2 Electronic Commerce Negotiations
4.3.4 National Treatment
4.3.4.1 Adequacy Decisions
4.3.4.2 Appropriate Safeguards
4.3.4.2.1 Appropriate Safeguards Are Not Available
4.3.4.2.2 Appropriate Safeguards Are Available
4.3.4.3 Derogations
4.3.4.4 Preventing Interferences
4.3.5 Summary
4.4 The Regulation of Data Transfers as a Justifiable Trade Barrier
4.4.1 Economic Integration Exception
4.4.1.1 Adequacy Decisions Are Not Economic Integration Agreement
4.4.1.2 Adequacy Decision and Economic Integration Agreements
4.4.1.3 Appropriate Safeguards and Economic Integration Agreements
4.4.1.4 The Common Market of the EU
4.4.1.4.1 Most-Favored Nations Treatment Violations
4.4.1.4.2 National Treatment Violations
4.4.2 Security Exceptions
4.4.3 Confidentiality Exception
4.4.4 General Exceptions
4.4.4.1 Interference with the MFN Treatment Obligation
4.4.4.1.1 Privacy Exception
4.4.4.1.1.1 Adequacy Decisions Versus Appropriate Safeguards
4.4.4.1.1.2 Appropriate Safeguards Versus Derogations
4.4.4.1.2 Chapeau
4.4.4.1.2.1 Adequacy Decisions Versus Appropriate Safeguards
4.4.4.1.2.2 Appropriate Safeguards Versus Derogations
4.4.4.2 Interference with the Domestic Regulation Obligation
4.4.4.2.1 Privacy Exception
4.4.4.2.1.1 Interference Based on Special Framework Adequacy Decisions
4.4.4.2.1.2 Interference Based on Corrective Powers of Supervisory Authorities
4.4.4.2.2 Chapeau
4.4.4.3 Interference with the Market Access Obligation
4.4.4.3.1 Privacy Exception
4.4.4.3.2 Chapeau
4.4.4.4 Interference with the National Treatment Obligation
4.4.4.4.1 Privacy Exception
4.4.4.4.1.1 Interference Based on Appropriate Safeguards
4.4.4.4.1.2 Interference Based on Corrective Powers of Supervisory Authorities
4.4.4.4.2 Chapeau
4.4.4.4.2.1 Interference Based on Appropriate Safeguards
4.4.4.4.2.2 Interference Based on Corrective Powers of Supervisory Authorities
4.4.5 Summary
4.5 Conclusion
References
Bibliography
Jurisprudence
Documents
Chapter 5: Restrictions on Data Transfers and Trade Agreements
5.1 Data Flow Clauses in Trade Agreements
5.1.1 Development in EU Trade Agreements
5.1.1.1 EU-Algeria Association Agreement
5.1.1.2 EU-CARIFORUM Economic Partnership Agreement
5.1.1.3 EU-Canada Comprehensive Economic and Trade Agreement
5.1.1.4 EU-Japan Economic Partnership Agreement
5.1.2 Development in the Mega-Regional Trade Agreements
5.1.2.1 Transatlantic Trade and Investment Partnership
5.1.2.2 Trade in Services Agreement
5.1.2.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership
5.1.3 Development in US Trade Agreements
5.1.3.1 US-South Korea Free Trade Agreement
5.1.3.2 United States-Mexico-Canada Agreement
5.1.3.3 US-Japan Digital Trade Agreement
5.1.4 Development in Non-EU/US Trade Agreements
5.1.4.1 Costa Rica-Colombia Trade Agreement
5.1.4.2 Mexico-Panama Trade Agreement
5.1.4.3 China-Republic of Korea Trade Agreement
5.1.4.4 Sri Lanka-Singapore Trade Agreement
5.1.5 Summary
5.2 Legal Requirements for Data Flow Clauses in EU Trade Agreements
5.2.1 Respecting the Primacy of Fundamental Rights Over International Law
5.2.1.1 The Relationship of Primary Union Law and International Law
5.2.1.1.1 Hierarchy in the Legal Order
5.2.1.1.2 A Priori Examination of International Agreements by the European Court of Justice
5.2.1.1.3 A Posteriori Review of International Agreements by the European Court of Justice
5.2.1.2 Implication for the Design of Data Flow Clauses
5.2.2 Accommodating the Legal Mechanisms for Data Transfers
5.2.2.1 The Relationship of Secondary Union Law and International Law
5.2.2.1.1 Hierarchy in the Legal Order
5.2.2.1.2 Review of Secondary Law in Light of International Agreements by the European Court of Justice
5.2.2.2 Implications for the Design of Data Flow Clauses
5.2.3 Including Cooperation for the Protection of Personal Data
5.2.4 Banning Other Data Localization Obligations
5.2.5 Summary
5.3 Designs for Data Flow Clauses in EU Trade Agreements
5.3.1 Data Flow Obligation with a Data Protection Exception
5.3.2 Data Flow Obligation with an Adequacy Exception
5.3.3 Data Flow Obligation with an Adequacy Condition
5.3.4 Data Flow Obligation with Data Protection Obligations
5.3.5 Summary
5.4 The Model Data Flow Clauses for EU Trade Agreements
5.4.1 Addressing Data Protection as a Fundamental Right
5.4.2 Banning Data Localization Requirements
5.4.3 Carving-Out Space for the Regulation of Data Protection
5.4.4 Rejecting Regulatory Cooperation for Data Protection
5.4.5 Summary
5.5 Conclusion
References
Bibliography
Jurisprudence
Documents
Part III: Epilogue
Chapter 6: Concluding Remarks: Data Protection Without Data Protectionism
References
Bibliography
Jurisprudence
Documents
About the Author